HomeCyber BalkansHackers taking advantage of stored XSS vulnerability in WordPress plugins

Hackers taking advantage of stored XSS vulnerability in WordPress plugins

Published on

spot_img

In recent cyberattacks, hackers are taking advantage of stored cross-site scripting (XSS) vulnerabilities found in various WordPress plugins, as per reports from Fastly. The vulnerabilities identified as CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000 are being exploited due to insufficient input sanitization and output escaping, permitting attackers to inject malicious scripts.

The first plugin affected by this is the WP Statistics plugin, specifically versions 14.5 and below. This plugin is susceptible to stored cross-site scripting through the URL search parameter. This vulnerability enables unauthenticated attackers to inject arbitrary web scripts via the URL search parameter, which are then executed whenever a user accesses the injected page. The attacker ensures the payload is visible on the most visited pages by repeatedly sending requests containing the malicious script.

Secondly, the WP Meta SEO plugin, versions 4.5.12 and older, is also at risk of stored cross-site scripting attacks through the Referer HTTP header. By sending a payload to a target site, especially to a page that generates a 404 response, attackers can inject obfuscated JavaScript from a callback domain and execute it in the victim’s browser when an administrator loads the 404 & Redirects page.

Lastly, the LiteSpeed Cache plugin for WordPress, versions up to 5.7.0.1, is vulnerable to stored cross-site scripting via the ‘nameservers’ and ‘_msg’ parameters. Admins accessing backend pages unknowingly trigger this XSS vulnerability because the payload is disguised as an admin notification, leading to the execution of malicious scripts using their credentials for further nefarious activities.

In terms of the malicious JavaScript employed by these attackers, it carries out actions such as injecting PHP backdoors into plugin and theme files, creating new administrator accounts, and implementing tracking via Yandex. The PHP backdoors search for wp-loads.php files and insert scripts into wp-config.php, among other actions like creating new admin user credentials for unauthorized access.

Furthermore, different threat actors are linked to the exploitation of the identified vulnerabilities. Media.cdnstaticjs[.]com, idc.cloudiync[.]com, and other domains are utilized for attacks targeting CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000. These attacks come from various IP addresses, with multiple requests attempting to exploit the vulnerabilities, particularly from AS202425 (IP Volume Inc.) and AS210848 (Telkom Internet LTD).

Domains like assets.scontentflow[.]com and cache.cloudswiftcdn[.]com are also associated with these attacks, where scripts are structured to backdoor infected sites. The indicators of compromise include multiple domains and IP addresses that are linked to the malicious activities observed.

In conclusion, the ongoing cyberattacks exploiting stored XSS vulnerabilities in WordPress plugins pose a serious threat to website security. It is essential for website administrators to update their plugins regularly and implement robust security measures to prevent such attacks from compromising their sites.

Source link

Latest articles

Cribl Focuses on TTP-Based Detection Through Acquisition of CardinalOps

Startup Enhances Security Posture Through Strategic Acquisition Cribl Inc. Enhances Security Detection With CardinalOps Acquisition In...

Hackers Combine Stolen Wallet Databases with Keychain Passwords for Offline Crypto Theft

Rising Threat: macOS Malware Combines Stolen Data for Cryptocurrency Theft In a notable development in...

US Launches Gold Eagle to Enhance AI-Driven Vulnerability Management

The U.S. government is intensifying its efforts to address the escalating vulnerabilities in cybersecurity...

AI Leaders Gaining an Edge in Quantum Readiness

Agentic AI, Artificial Intelligence & Machine Learning, ...

More like this

Cribl Focuses on TTP-Based Detection Through Acquisition of CardinalOps

Startup Enhances Security Posture Through Strategic Acquisition Cribl Inc. Enhances Security Detection With CardinalOps Acquisition In...

Hackers Combine Stolen Wallet Databases with Keychain Passwords for Offline Crypto Theft

Rising Threat: macOS Malware Combines Stolen Data for Cryptocurrency Theft In a notable development in...

US Launches Gold Eagle to Enhance AI-Driven Vulnerability Management

The U.S. government is intensifying its efforts to address the escalating vulnerabilities in cybersecurity...